Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii


Reported on

Nov 1st 2021


Attacker is able to logout a user if a logged in user visits attacker website.


This vulnerability is capable of forging user to unintentional logout.


Tested on Edge, firefox, chrome and safari.


You should use POST instead of GET/ANY.

To expand:

One way GET/ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a @csrf token.


While this cannot harm a users account it can be a great annoyance and is considered a valid CSRF.


We have contacted a member of the firefly-iii team and are waiting to hear back 2 years ago
James Cole validated this vulnerability 2 years ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole marked this as fixed with commit 47fa9e 2 years ago
James Cole has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L84 has been validated
to join this conversation